Web browser functionality may be provided via an ActiveX® control that is hosted by another program code container. For example, one such hosting program is Microsoft Corporation's Internet Explorer component (e.g., iexplore.exe), which is essentially a frame that hosts a browser control web browser ActiveX® control (e.g., shdocvw.dll). Virtually any other application program that wants to add browser functionality to the rest of its program may do so by appropriately hosting such a browser control.
When dealing with web browsing, security is an important consideration, as some websites can be malicious and generally cause problems to a user's computer system when a user visits such a site. For security purposes, the existing Microsoft® Internet Explorer web browser ActiveX® control, also referred to herein as the web OLE (Object Linking and Embedding) control, or WebOC, provides a security model based on the concept of zones. With zone-based security, each website is categorized based on its website address as belonging to a particular zone, namely, Internet, intranet, trusted, or restricted. (The concept of a local machine zone also exists and corresponds to locally-maintained files, but such a zone is not for websites.) Internet Explorer uses the zone information for a given site to allow or deny that site the ability to perform some requested functionality. For example, because the Internet zone is considered less secure than the intranet zone, a webpage from the Internet zone is not allowed to display content referenced via an image tag in the page if that image tag points to a file in the intranet zone (or alternatively points to any more secure zone).
With contemporary operating systems such as Microsoft Corporation's Windows® Vista™-based operating system, the concept of “managed code” needs to be considered with respect to security, wherein managed code generally refers to any software code that contains one or more programs that are not in the CPU's native instruction set and/or have memory functionality managed for them by the system. For example, Windows® Vista™ works with a managed platform (Windows® Presentation Foundation) that is designed to run in a Microsoft®.Net environment, which is a managed code environment.
Regarding Internet security, the security model of at least one such managed code environment, e.g., the .Net environment, is not based on zones, but rather is based on Code Access Security (CAS). In the CAS model, a program runs with full trust or with partial trust. More particularly, in the CAS model, managed code can run in a full trust context with a full set of rights and privileges, or in a partial trust context with some lesser subset of rights and privileges. In general, in full trust, code is allowed to do essentially anything, while in partial trust, the code is allowed to only do those things for which it has permissions. For example, application code with full trust can read and write files to a hard disk, but partial trust application code cannot do the same, unless the code has an appropriate permission, e.g., a FileIO permission. When an application program is launched from the Internet, by default the application program is not given the FileIO permission, thereby preventing that program from performing file read/write operations.
For security reasons, in a managed code environment, the appropriate permissions are needed to run unmanaged code. The web OLE control is written in unmanaged code, and the permission to run unmanaged code is not granted to partially trusted code that is launched from the Internet. As a result, in a managed code environment, the web OLE control needs to be run by fully trusted code, e.g., the platform (Windows® Presentation Foundation) code after asserting for the “unmanaged code” permission. Note that platform code, which is signed and trusted, has the ability to elevate permissions so as to do specific work on behalf of partially trusted code; this way, the platform can provide a way for partial trust code to perform operations in a controlled manner, such as to access certain files.
The platform code that launches and hosts the web OLE control itself may be a managed control that is part of the platform code, and hence is able to assert the “unmanaged code” permission. However if this hosting control simply elevated permissions and instantiated the unmanaged web OLE control, then the hosting site could navigate essentially anywhere, including navigating to local content or to non-originating websites. This would be an unacceptable security flaw.